Information security is on every business’s radar these days. Data drives so much of what we do. Looking to contain the risks, many sectors have established IT compliance regulations. Whether meeting a standard or not, don’t overlook these common areas of concern.
Governments and regulatory agencies have established compliance standards for the financial, legal, healthcare, and energy sectors. Other organizations abide by best practices for data protection and improving system security. Whether mandated or not, the goals remain similar:
- Improve security protocols.
- Identify vulnerabilities.
- Prevent breaches.
- Reduce losses.
- Increase access control.
- Educate employees.
- Maintain customer trust.
Shortcomings can mean compliance concerns, industry fines, customer churn, and brand reputation damage. Being proactive about these four common issues can benefit companies in any industry sector.
Common Issues that Thwart Compliance
Companies with Bring Your Own Device (BYOD) policies save $350 annually per employee, according to CISCO, but cost savings aren’t the only reason organizations are embracing BYOD. Letting people use personal mobile devices at work improves productivity and engages employees.
Yet allowing BYOD in the work environment can make the organization more vulnerable. There is greater risk of:
- spread of malicious applications or viruses;
- employees accessing business materials using unsecured Wi-Fi;
- people who have left the company continuing to have access to proprietary systems.
- None of these are good from a compliance point of view.
Personal portable devices may not have the same access controls as business computers, which makes them more vulnerable if lost or stolen.
This brings us to a second common compliance concern: physical security. A business may do a brilliant job of securing its devices on-site. It has firewalls, patches security regularly, and asks employees to update passwords, but what happens if a laptop, mobile phone, or USB drive is stolen or lost?
All devices accessing business systems and networks from off-site should use encryption. With remote monitoring and management, IT staff can control security configurations regardless of the end-user environment. Mobile device management allows your IT team to secure, locate, or erase any mobile device used for business.
Counting on Others for Compliance
Another area of concern is third-party connections. Again, your business may be top of the class as far as the five core functions of cybersecurity – Identify, Protect, Detect, Respond, and Recover – are concerned, but what if your vendor’s security isn’t up to snuff.
Do you have business partners that are storing your sensitive data? Or does a supplier have access to personally identifying customer or employee information? Third-party risk is a real thing – ask Target. Cybercriminals stole data for 40 million debit and credit cards via the retailer’s HVAC company.
Cybercriminals could use a third party’s lax security to target you. Make sure that your vendors are taking cybersecurity as seriously as you do.
Even in your own business environment, cut the number of people who have access to sensitive data. Obviously, you’ve hired people you think you can trust, but you can still better ward off the insider cybersecurity threat by:
- educating employees about the importance of strong passwords, securing devices, and physical security;
- informing people about social engineering (e.g. phishing emails or fraudulent business communications);
- limiting personnel access to data, network, or systems based on necessity;
- having a policy to revoke access permissions and reclaim devices from any employee leaving the company.
Ensuring compliance takes technological know-how and awareness of the evolving threat landscape. This vigilance, communication, and education require time and effort. Put the right policies and procedures in place with our help.